Bazar malware may be new tool in Trickbot arsenal

A new strain of Malware loader and backdoor dubbed Bazar, which can be used to deploy additional malware and ransomware and exfiltrate data, is targeting healthcare, IT, manufacturing, logistics and professional services companies across the US and Europe, according to the Cybereason Nocturnus threat research team.

Bazar first emerged in April 2020 and is being tracked by Assaf Dahan, Daniel Frank and Mary Zhao of Cybereason. Distributed through phishing emails exploiting subjects such as the Covid-19 coronavirus pandemic, it appears to have strong ties to previous Trickbot campaigns, being delivered through a similar infection chain – it also reuses associated domains, uses revoked certificates to sign malware, and has almost identical decryption routines.

After establishing an initial bridgehead in the target environment using the loader, the backdoor establishes persistence, letting the cyber criminals behind it deploy other payloads such as ransomware, post-exploitation frameworks such as CobaltStrike, as well as stealing data and executing remote commands.

The Nocturnus team said it had found several different versions of Bazar in circulation, suggesting it is being actively developed and updated by its creators, who are almost certainly based in Russia – evidenced by the fact that it tries to avoid targeting users in that geography by checking to see if the Russian language is installed on its target machine.

“Based on our investigation, Cybereason estimates that the new malware family is the latest sophisticated tool in Trickbot gang’s arsenal, that so far has been selectively observed on a handful of high-value targets,” Dahan wrote in a disclosure blog post.

“The Bazar malware is focused on evasion, stealth, and persistence. The malware authors are actively testing a few versions of their malware, trying to obfuscate the code as much as possible, and hiding the final payload while executing it in the context of another process. To further evade detection, the Bazar loader and backdoor use a different network call back scheme from previously seen Trickbot-related malware. 

“Post-infection, the malware gives threat actors a variety of command and code execution options, along with built-in file upload and self-deletion capabilities. This variety allows attackers to be dynamic while exfiltrating data, installing another payload on the targeted machine, or spreading further on the network. In general, having more options ensures the threat actors can adjust to changes in their goals or victim’s environment,” he said.

The Nocturnus team also observed that despite first releasing Bazar in April, it then promptly disappeared for a hiatus lasting almost two months until a new variant was spotted in June. Dahan said this clearly demonstrated that the malware’s authors had taken time to re-examine and improve their code to make Bazar harder to spot and deal with.

Among other things, they changed some of the original versions more detectable characteristics, such as strings that were previously hardcoded, and modifying the known shellcode decryption routine.

Cybereason said that while Bazar is clearly still at the development stage, its evolution suggested the rise of a “formidable” new threat in the not-too-distant future.

More information on Bazar, including screenshots, in-depth technical details and indicators of compromise (IoCs) can be found on Cybereason’s disclosure blog.